UNPKG

@rushstack/eslint-plugin-security

Version:

An ESLint plugin providing rules that identify common security vulnerabilities for browser applications, Node.js tools, and Node.js services

rushstack.io

microsoft/rushstack

73 lines (54 loc) 2.56 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# @rushstack/eslint-plugin-security This plugin implements a collection of security rules for ESLint. Our ambition is to eventually provide a comprehensive set of recommended security rules for: - web browser applications - Node.js tools - Node.js services If you would like to request or contribute a new security rule, you are encouraged to [create a GitHub issue](https://github.com/microsoft/rushstack/issues) in the [Rush Stack](https://rushstack.io/) monorepo where this project is developed. Thanks! ## `@rushstack/security/no-unsafe-regexp` Require regular expressions to be constructed from string constants rather than dynamically building strings at runtime. #### Rule Details Regular expressions should be constructed from string constants. Dynamically building strings at runtime may introduce security vulnerabilities, performance concerns, and bugs involving incorrect escaping of special characters. #### Examples The following patterns are considered problems when `@rushstack/security/no-unsafe-regexp` is enabled: ```ts function parseRestResponse(request: ICatalogRequest, items: ICatalogItem[]): ICatalogItem[] { // Security vulnerability: A malicious user could invoke the REST service using a // "searchPattern" with a complex RegExp that causes a denial of service. const regexp: RegExp = new RegExp(request.searchPattern); return items.filter(item => regexp.test(item.title)); } ``` ```ts function hasExtension(filePath: string, extension: string): boolean { // Escaping mistake: If the "extension" string contains a special character such as ".", // it will be interpreted as a regular expression operator. Correctly escaping an arbitrary // string is a nontrivial problem due to RegExp implementation differences, as well as contextual // issues (since which characters are special changes inside RegExp nesting constructs). // In most cases, this problem is better solved without regular expressions. const regexp: RegExp = new RegExp(`\.${extension}$`); return regexp.test(filePath); } ``` The following patterns are NOT considered problems: ```ts function isInteger(s: string): boolean { return /[0-9]+/.test(s); } ``` ```ts function isInteger(s: string): boolean { return new RegExp('[0-9]+').test(s); } ``` ## Links - [CHANGELOG.md]( https://github.com/microsoft/rushstack/blob/main/stack/eslint-plugin-security/CHANGELOG.md) - Find out what's new in the latest version `@rushstack/eslint-plugin-security` is part of the [Rush Stack](https://rushstack.io/) family of projects.